b"            OFFICE OF\n     THE INSPECTOR GENERAL\n\nSOCIAL SECURITY ADMINISTRATION\n\n\n            FOLLOW-UP ON\nTHE SOCIAL SECURITY ADMINISTRATION\xe2\x80\x99S\n      MONITORING OF POTENTIAL\n         EMPLOYEE SYSTEMS\n        SECURITY VIOLATIONS\n\n  October 2007         A-14-07-17102\n\n\n\n\n AUDIT REPORT\n\x0c                                    Mission\nBy conducting independent and objective audits, evaluations and investigations,\nwe inspire public confidence in the integrity and security of SSA\xe2\x80\x99s programs and\noperations and protect them against fraud, waste and abuse. We provide timely,\nuseful and reliable information and advice to Administration officials, Congress\nand the public.\n\n                                   Authority\nThe Inspector General Act created independent audit and investigative units,\ncalled the Office of Inspector General (OIG). The mission of the OIG, as spelled\nout in the Act, is to:\n\n  \xef\x81\xad Conduct and supervise independent and objective audits and\n    investigations relating to agency programs and operations.\n  \xef\x81\xad Promote economy, effectiveness, and efficiency within the agency.\n  \xef\x81\xad Prevent and detect fraud, waste, and abuse in agency programs and\n    operations.\n  \xef\x81\xad Review and make recommendations regarding existing and proposed\n    legislation and regulations relating to agency programs and operations.\n  \xef\x81\xad Keep the agency head and the Congress fully and currently informed of\n    problems in agency programs and operations.\n\n  To ensure objectivity, the IG Act empowers the IG with:\n\n  \xef\x81\xad Independence to determine what reviews to perform.\n  \xef\x81\xad Access to all information necessary for the reviews.\n  \xef\x81\xad Authority to publish findings and recommendations based on the reviews.\n\n                                     Vision\nWe strive for continual improvement in SSA\xe2\x80\x99s programs, operations and\nmanagement by proactively seeking new ways to prevent and deter fraud, waste\nand abuse. We commit to integrity and excellence by supporting an environment\nthat provides a valuable public service while encouraging employee development\nand retention and fostering diversity and innovation.\n\x0c                                              SOCIAL SECURITY\nMEMORANDUM\n\nDate:      October 29, 2007                                                            Refer To:\n\nTo:        The Commissioner\n\nFrom:      Inspector General\n\nSubject:   Follow-up on the Social Security Administration\xe2\x80\x99s Monitoring of Potential Employee\n           Systems Security Violations (A-14-07-17102)\n\n\n           OBJECTIVE\n\n           Our objective was to determine whether the Social Security Administration (SSA)\n           implemented recommendations made in our July 2004 report, The Social Security\n           Administration\xe2\x80\x99s Monitoring of Potential Employee Systems Security Violations\n           (A-14-04-23004).\n\n           BACKGROUND\n           In June 1998, SSA established a uniform set of Sanctions for Unauthorized Systems\n                              1\n           Access Violations (Sanctions) to secure the integrity and privacy of the personal\n           information contained in the Agency\xe2\x80\x99s computer systems and to ensure that any\n           violations of the confidentiality of its computer records are treated consistently. For\n           more information on Sanctions see Appendix B.\n\n           In the document, Rules of Behavior for Users and Managers of SSA's Automated\n           Information Resources, 2 the Agency describes what behavior is expected of all SSA\n           personnel, contractors, and external users of SSA's automated information systems\n           resources.\n\n           Managers are the primary lines of defense against employee systems security\n           violations. SSA\xe2\x80\x99s Integrity Review Handbook outlines the procedures for managers to\n           use when conducting integrity reviews. 3 In an effort to prevent and uncover potential\n\n           1\n            Information Systems Security Handbook (ISSH), Chapter 4 References, Office of Labor Management\n           and Employee Relations website, Sanctions for Unauthorized System Access Violations, Attachment:\n           Commissioner\xe2\x80\x99s Memorandum, June 22, 1998.\n           2\n            Rules of Behavior for Users and Managers of SSA's Automated Information Resources,\n           http://eis.ba.ssa.gov/ssasso/issh/rulesofbehavior.htm.\n           3\n               Integrity Review Handbook, Chapter 1, April 4, 2006.\n\x0cPage 2 - The Commissioner\n\nemployee systems security violations, SSA developed the Comprehensive Integrity\nReview Process (CIRP), a monitoring tool to detect specific SSA mainframe systems\nactivity that is considered potential fraud or misuse by employees. CIRP uses\npredetermined criteria to identify certain queries input by employees and generates\nreports for management review. SSA has developed a schedule of administrative\nsanctions or penalties to address people who have inappropriately used SSA\xe2\x80\x99s systems\nand information. For additional background information, see Appendix B and for our\nscope and methodology, see Appendix C.\n                                                  4\nThe Office of Management and Budget (OMB) guidance states:\n\n        \xe2\x80\xa6safeguarding personally identifiable information 5 (PII) in the possession\n        of the government and preventing its breach are essential to ensure the\n        government retains the trust of the American public.             This is a\n        responsibility shared by officials accountable for administering operational\n        and privacy and security programs, legal counsel, Agencies\xe2\x80\x99 Inspectors\n        General and other law enforcement, and public and legislative affairs. It is\n        also a function of applicable laws, such as the Federal Information\n        Security Management Act of 2002 (FISMA) and the Privacy Act of 1974.\n\nRESULTS OF REVIEW\n\nWe determined that SSA has implemented our recommendations. At the time of our\noriginal audit, we noted problems with classifying violations with the correct severity\nlevel, maintaining sufficient documentation and providing appropriate case\ndocumentation to the Office of the Inspector General (OIG) in a timely manner. SSA\nhas improved in these areas and is working to ensure that these issues are dealt with\nsufficiently and appropriately.\n\nWe found during our current review that the Agency could improve the system security\nviolation monitoring and reporting process by incorporating the following suggestions:\n\n    \xe2\x80\xa2   Periodically issue electronic or written reminders concerning the retention of\n        supporting documentation for systems security violations according to SSA\xe2\x80\x99s\n        policy;\n\n    \xe2\x80\xa2   Implement a pilot where the OIG is provided all employee potential misuse and\n        potential fraud systems security violations for two headquarters components and\n        one regional office for 6 months;\n4\n  OMB Memorandum M-07-16, Safeguarding Against and Responding to the Breach of Personally\nIdentifiable Information, May 22, 2007.\n5\n  The term \xe2\x80\x9cpersonally identifiable information\xe2\x80\x9d refers to information which can be used to distinguish or\ntrace an individual's identity, such as their name, Social Security number, biometric records, etc. alone, or\nwhen combined with other personal or identifying information which is linked or linkable to a specific\nindividual, such as date and place of birth, mother\xe2\x80\x99s maiden name, etc.\n\x0cPage 3 - The Commissioner\n\n   \xe2\x80\xa2   Provide OIG with all potential misuse or potential fraud employee systems\n       security violations, as identified by SSA managers as needing further\n       investigation, to assess the information for potential criminal activity; and\n\n   \xe2\x80\xa2   Evaluate and modify policies and procedures to ensure employee violations of\n       Automated Information Resources Rules of Behavior are appropriately\n       addressed.\n\nRecommendations from Our Prior Review\n\n    Recommendation 1: We recommended SSA establish policies and procedures\non retaining all supporting documentation for potential misuse or potential fraud\nemployee systems security violations, as identified by SSA managers as needing\nfurther investigation, so that resolutions are accessible and verifiable.\n\nThe Agency agreed with our recommendation and stated that their current policy and\nprocedures require reasonable retention of documentation necessary to ensure\neffective resolution of and consistent application of Sanctions for such cases. SSA\nagreed to issue reminders to management concerning these policies and procedures to\nassure that adequate documentation is maintained.\n\nWe reviewed SSA\xe2\x80\x99s current policies and procedures, Operational and Administrative\nRecords Schedules (OARS) on retaining all supporting documentation for potential\nmisuse or potential fraud employee systems security violations, as identified by SSA\nmanagers as needing further investigation. We determined the Agency\xe2\x80\x99s retention\npolicy and procedures appear appropriate to address the Agency\xe2\x80\x99s need in this area.\n\n    Recommendation 2: We recommended SSA maintain supporting documentation\nfor all potential misuse or potential fraud employee systems security violations, as\nidentified by SSA managers as needing further investigation, to ensure appropriate and\nconsistent Sanctions are applied within the Agency.\n\nThe Agency agreed with recommendation 2 and indicated they would send out\nreminders as needed for management to maintain supporting documentation. During\nour review of 108 cases, we observed that SSA has improved on its retention of\ndocumentation related to potential systems security violations since the original audit.\nAccording to SSA, oral reminders were periodically issued to staff. As SSA\nexperiences significant human capital turnover, we encourage SSA to ensure the\nintegrity of the security violations review process and consider periodically issuing\nelectronic or written reminders to managers to maintain all documentation associated\nwith systems security violations for 4 years as required by SSA policy.\n\n    Recommendation 3: We recommended SSA provide OIG with periodic access to\nthe potential misuse or potential fraud employee systems security violations, as\nidentified by SSA managers as needing further investigation, to assess the information\nfor potential criminal activity.\n\x0cPage 4 - The Commissioner\n\nThe Agency agreed with this recommendation. In response to recommendation 3, SSA\nprovided OIG access to 6 months, January 2004 to June 2004, of data for cases where\nadministrative action had already occurred. The Office of Operations evaluated the\nreferral process and determined it would continue to refer only cases to OIG that the\nAgency determined were Category III cases. At that time, the OIG was enhancing its\ninvestigative database and revised the electronic 8551 (e-8551) fraud reporting form.\nOIG was expanding the use of the e-8551 on SSA Intranet sites to alert managers to\nthe new process and encourage them to use it. These actions were completed after\nthe pilot in 2004. Since an automated process exists, it would be beneficial to perform\na new pilot. Our suggestion is that all potential misuse and potential fraud system\nsecurity violations for two headquarters components and one regional office be\nsubmitted to the OIG for a 6-month period. Appendix E details the number of staff per\nSSA Office, related transactions, and reported violations. During the pilot period, SSA\ncould assess the effectiveness and consistency of monitoring and processing system\nsecurity violations Agency-wide.\n\nOur review of the 108 cases showed that the Agency has improved on its categorization\nof the systems security violation cases. During our original audit, we observed\nnumerous instances where violations that should have been Category IIB or III were\ncategorized as a Category I or IIA. We did not find any instances of that problem during\nthe current review.\n\nAs mandated by the Inspector General Act of 1978, the OIG is responsible for\npreventing and detecting fraud and abuse in agency programs and operations. 6 The\nOffice of Investigations within the OIG, protects the integrity of SSA\xe2\x80\x99s programs by\ninvestigating allegations of fraud, waste, and abuse. 7 For this reason, such cases\nshould be referred to the OIG early in the administrative sanction development process\nto ensure fulfillment of the OIG\xe2\x80\x99s responsibilities and the effective enforcement of SSA\xe2\x80\x99s\nand OIG\xe2\x80\x99s mission.\n\nWe found that 3 of the 108 administratively sanctioned cases were referred to the OIG\nby SSA. Specifically, the Agency referred two Category III cases and a Category IIB\ncase to OIG. In addition, one Category IIB and one Category III violation case were\nreferred to the OIG by outside sources. The Category IIB case was referred to OIG by\na local law enforcement agency. In this case, the employee improperly accessed\n\n\n\n\n6\n    5 U.S.C. App. 3, Section 2.\n7\n    OIG Manual System, OI Special Agent Handbook, Chapter 1, Section 001.020, p. 1-3.\n\x0cPage 5 - The Commissioner\n\nSSA\xe2\x80\x99s Systems and disclosed the information to an unauthorized individual. With the\nrecent release of OMB Memorandum M-07-16, 8 in the future an SSA manager should\nsend the case to OIG to review since this would be considered a breach of PII. The\nOMB guidance states safeguarding PII and preventing its breach is the responsibility\nshared by officials accountable for administering operational and privacy and security\nprograms, legal counsel, agencies\xe2\x80\x99 Inspectors General and other law enforcement, and\npublic and legislative affairs. 9 The second case was referred to the OIG by an\nanonymous caller to the Hotline. 10 This Category III case entailed an employee who\nwas using SSA\xe2\x80\x99s System to maintain or support a personal business. According to the\n                                11\nAgency\xe2\x80\x99s Rules of Behavior, SSA prohibits the use of e-mail to maintain or support a\npersonal business. This case may not have been referred by SSA because the Agency\nis not recognizing and applying the same Systems Security Violation Sanctions to the\nimproper computer use cases.\n\nDuring our audit of SSA's Incident Response and Reporting System, 12 we identified\nother instances of improper computer use or improper use of PII that were detected\noutside of the CIRP process. For example, we identified cases of computer misuse\ninvolving an SSA employee and a Disability Determination Service (DDS) employee. In\none case, an SSA employee had unauthorized password cracking software on an SSA\nworkstation. An employee could use password cracking software repeatedly to try to\nguess users\xe2\x80\x99 passwords to gain unauthorized access to a system, and to retrieve all the\nfiles on an individual\xe2\x80\x99s computer, or even log in to a computer. The employee was told\nto remove the software from his computer, but no administrative action was taken\nagainst him. In another case, a DDS employee e-mailed 55 claimants\xe2\x80\x99 SSNs, names,\nand case numbers to a \xe2\x80\x9cHotmail\xe2\x80\x9d e-mail account. The employee sent 3 e-mails\ncontaining PII on the 55 claimants outside of SSA\xe2\x80\x99s secure network. This employee\njust returned from a 10-day suspension for a separate unrelated disciplinary action.\nOnly one of these two cases was referred to the OIG and this case was referred after\nwe informed the Agency of our findings. It appears that SSA is not recognizing and\napplying the same Systems Security Violation Sanctions to these improper computer\nuse cases. All computer-related and PII cases that violate the Agency\xe2\x80\x99s Rules of\n\n\n\n\n8\n  OMB Memorandum M-07-16, Safeguarding Against and Responding to the Breach of Personally\nIdentifiable Information, May 22, 2007.\n9\n    Id.\n10\n  The SSA OIG Fraud Hotline provides an avenue for individuals to report fraud, waste, and abuse within\nthe SSA\xe2\x80\x99s programs and operations. The Hotline handles allegations regarding violations of law or\nregulations affecting SSA programs and operations.\n11\n   Rules of Behavior for Users and Managers of SSA's Automated Information Resources,\nhttp://eis.ba.ssa.gov/ssasso/issh/rulesofbehavior.htm.\n12\n  OIG Final Report, The Social Security Administration\xe2\x80\x99s Incident Response and Reporting System,\nA-14-07-17070, dated August 3, 2007.\n\x0cPage 6 - The Commissioner\n\nBehavior 13 need to have appropriate Sanctions applied. Where potential fraud or\npossible criminal activity is involved, cases should be forwarded to the OIG. SSA\nneeds to modify policies and procedures that ensure employee systems security\nviolations of Automated Information Resources Rules of Behavior are appropriately\naddressed.\n\nAs noted in the background section, protecting PII is a highly significant issue for the\nFederal Government. The importance of protecting PII is emphasized by the recent\nguidance and requirements in this area issued by OMB. Based on the increased\nemphasis placed on protecting PII, OIG believes that some level of investigation by our\noffice is warranted for those cases designated by SSA managers as potential misuse or\npotential fraud systems security violations. This investigation should occur prior to\napplying administrative actions.\n\nWe would like to encourage the Agency to send all category III violations and cases\nthat managers determine need further investigation to the OIG. In addition, the Agency\nshould remind managers that systems security violations are not limited to the CIRP\nprocess as previously described but may include other breaches of PII such as sending\nPII home through e-mail. Finally, SSA should send any appropriate cases found\noutside of CIRP to the OIG.\n\n    Recommendation 4: We recommended that SSA continue to ensure all integrity\nreviews are conducted in a more timely and in-depth manner.\n\nThe Agency agreed with this recommendation and stated they already devote\nsignificant resources to monitor accurate and timely completion of CIRP alerts.\n\nDuring our review of the 108 administratively sanctioned cases, we estimated\n85 percent of the sanctions were applied within 1 year of the violation (see the Table\nbelow). We appreciate SSA\xe2\x80\x99s efforts to adequately address our recommendation to\nperform these reviews in a more timely and in-depth manner. We encourage the\nAgency to continue to expedite the review process to minimize the number of cases\nthat take longer than 1 year to process. This will ensure the Agency\xe2\x80\x99s ability to protect\nthe integrity and privacy of the personal information contained in its computer systems.\n\n\n\n\n13\n   Rules of Behavior for Users and Managers of SSA's Automated Information Resources,\nhttp://eis.ba.ssa.gov/ssasso/issh/rulesofbehavior.htm.\n\x0cPage 7 - The Commissioner\n\n\n      Administrative Sanction            Number of             Percentage of Cases\n        Processing Times               Cases Reviewed               Reviewed\n   Less than or equal to 12\n                                               92                        85.2\n   months-see note\n   Greater than 1 year and less\n   than 3 years                                 8                        7.4\n   Over 3 years                                 8                        7.4\n                TOTAL                          108                       100\n  Note-This includes 4 cases where employees resigned or their resignation was pending.\n\nCONCLUSION AND RECOMMENDATIONS\nSSA has made progress in addressing the four recommendations of our prior audit.\nSSA has established policies and procedures to retain and maintain the systems\nsecurity violations documentation. In addition, the Agency is performing the integrity\nreviews more timely and in an in-depth manner. We encourage the Agency to continue\nits efforts to implement corrective actions to improve its systems security violation\nreview process. However, to strengthen SSA\xe2\x80\x99s integrity review process and reduce its\nvulnerability to employee systems security violations, we recommend SSA:\n\n1. Continue to send electronic or written reminders concerning retention of supporting\n   documentation for systems security violations according to SSA\xe2\x80\x99s policy.\n\n2. Implement a pilot where the OIG is provided all employee potential misuse and\n   potential fraud systems security violations for two headquarters components and\n   one regional office for 6 months.\n\n3. Provide OIG with all potential misuse or potential fraud employee systems security\n   violations, as identified by SSA managers as needing further investigation, to assess\n   the information for potential criminal activity.\n\n4. Evaluate and modify procedures to ensure all employee violations of Automated\n   Information Resources Rules of Behavior are appropriately detected, reported,\n   documented, and resolved across the organization.\n\nAGENCY COMMENTS\nSSA generally agreed with all our recommendations. See Appendix F for the full text of\nSSA\xe2\x80\x99s comments.\n\n\n\n\n                                             Patrick P. O\xe2\x80\x99Carroll, Jr.\n\x0c                                            Appendices\nAPPENDIX A \xe2\x80\x93 Acronyms\nAPPENDIX B \xe2\x80\x93 Background\nAPPENDIX C \xe2\x80\x93 Scope and Methodology\nAPPENDIX D \xe2\x80\x93 Sanction Cases Reviewed for Fiscal Year 2006 Systems Security\n             Violations\nAPPENDIX E \xe2\x80\x93 Comparison of Systems Access, Transactions and Security Violations\n             for Fiscal Year 2006\nAPPENDIX F \xe2\x80\x93 Agency Comments\nAPPENDIX G \xe2\x80\x93 OIG Contacts and Staff Acknowledgments\n\n\n\n\nFollow-up Systems Security Violations Audit (A-14-07-17102)\n\x0c                                                                        Appendix A\n\nAcronyms\n ATS               Audit Trail System\n CIRP              Comprehensive Integrity Review Process\n\n DDS               Disability Determination Service\n\n DSSPI             Division of Systems Security and Program Integrity\n\n FISMA             Federal Information Security Act of 2002\n\n FY                Fiscal Year\n ISSH              Information Systems Security Handbook\n\n OARS              Operational and Administrative Records Schedule\n\n ODAR              Office Disability Adjudication and Review\n\n OIG               Office of the Inspector General\n\n OMB               Office of Management and Budget\n\n OPSOS             Office of Public Service and Operations Support\n\n PII               Personally Identifiable Information\n Sanctions         Sanctions for Unauthorized Systems Access Violations\n\n SSA               Social Security Administration\n\n\n\n\nFollow-up Systems Security Violations Audit (A-14-07-17102)\n\x0c                                                                                  Appendix B\n\nBackground\nThis is a follow-up of our July 2004 report, The Social Security Administration\xe2\x80\x99s\nMonitoring of Potential Employee Systems Security Violations (A-14-04-23004). In the\nComprehensive Integrity Review Process (CIRP), the manager determines whether\nqueries are considered: 1) No Problem; 2) Potential Violation - Misuse; 3) Potential\nViolation - Fraud; or 4) Not-Certified \xe2\x80\x93 Investigation Pending. CIRP reviews must be\ncompleted and certified in a certain period of time depending on the type of review. For\nexample, CIRP query reviews need to be completed and certified by the end of each\nmonth. If a potential security violation (misuse or fraud) is identified, the appropriate\nsecurity staff 1 must be contacted to advise managers on the appropriate action to be\ntaken. While the information in the CIRP query system is retained for a short period of\ntime, the history of employees is maintained in the Audit Trail System (ATS) for 7 years.\nThe ATS is designed to provide SSA security officers with the capability to monitor SSA\ndata entry activities nationwide.\n\nAnnually, all employees are required to read and sign the Acknowledgment Statement\n                                                            2\nindicating that they have read and understand the sanctions. The Sanctions and\nAcknowledgment Statement have both been incorporated into the Information Systems\nSecurity Handbook. Employees who violate the established rules are subject to the\nAgency\xe2\x80\x99s Sanctions for systems misuse as follows:\n\n                       Systems Security Violation Category and Sanction\n\n            Category           First Time Offense                                  Sanction\n                I    Unauthorized access without disclosure                   2-day suspension\n                IIA       Disclosure of information to an individual          2-day suspension\n                          entitled to the information\n                IIB       Disclosure of information to an individual          14-day suspension\n                          not entitled to the information\n                 III      Unauthorized access for personal gain or            Removal\n                          with malicious intent\n\n\n\n\n1\n    Integrity Review Handbook, Release 3, Chapter 1, Query Review, p. 4, August 2003.\n2\n Information Systems Security Handbook, Chapter 4 References, Office of Labor Management and\nEmployee Relations website, Sanctions for Unauthorized System Access Violations, Attachment:\nCommissioner\xe2\x80\x99s Memorandum, June 22, 1998.\n\nFollow-up Systems Security Violations Audit (A-14-07-17102)\n\x0c                                                                                      Appendix C\n\nScope and Methodology\nOur scope was limited to a determination of whether the Social Security Administration\n(SSA) has taken sufficient measures to implement the recommendations in our 2004\n                                                          1\nreport. We reviewed 108 cases from 5 regional offices, the Office of Central\nOperations and the Office of Disability Adjudication and Review for Fiscal Year (FY)\n2006. For each case, we examined the Standard Form 50, Notification of Personnel\nAction, and the adverse action documentation to determine whether the Agency\nconsistently applied its Sanction policy in a timely manner. We compared all 108 cases\nto the National Investigative Case Management System to determine if all cases were\nreferred to the Office of the Inspector General for investigation. We also confirmed the\ntotal number of administratively sanctioned cases provided from the Office of Public\nService and Operations Support (OPSOS) with the cases received from each of the\noffices. In addition, we also:\n\n1. Reviewed the following criteria:\n\n           \xef\x82\xa7   Federal Information Security Management Act of 2002 (FISMA); 2\n           \xef\x82\xa7   Office of Management and Budget (OMB) Circular A-130, Management of\n               Federal Information Resources;\n           \xef\x82\xa7   OMB Memorandum M-07-16, Safeguarding Against and Responding to the\n               Breach of Personally Identifiable Information, May 22, 2007;\n           \xef\x82\xa7   SSA\xe2\x80\x99s Operational and Administrative Records Schedule\xe2\x80\x99s guidance on\n               personnel records;\n           \xef\x82\xa7   SSA\xe2\x80\x99s Information Systems Security Handbook;\n           \xef\x82\xa7   SSA\xe2\x80\x99s Rules of Behavior for Users and Managers of SSA's Automated\n               Information Resources;\n           \xef\x82\xa7   SSA\xe2\x80\x99s Program Operations Manual System; and\n           \xef\x82\xa7   SSA\xe2\x80\x99s Integrity Review Handbook.\n\n\n\n\n1\n    The same five regions as the original audit, New York, Philadelphia, Atlanta, Dallas, and San Francisco.\n2\n    P.L. No. 107-347, Title III, section 301, codified at 44 U.S.C. \xc2\xa7 3541 (1).\n\nFollow-up Systems Security Violations Audit (A-14-07-17102)                                              C-1\n\x0c2. Interviewed representatives from SSA\xe2\x80\x99s:\n\n       \xef\x82\xa7   Office of Operations, OPSOS, and Division of Systems Security and Program\n           Integrity (DSSPI). DSSPI monitors integrity reviews in the regions and the\n           processing centers to ensure the reviews are performed timely and\n           consistently;\n       \xef\x82\xa7   Office of Systems Security Operations Management, which has national\n           oversight of the integrity review process;\n\nWe performed our field work at SSA Headquarters between December 2006 and\nMay 2007. We determined that the data used in this report was sufficiently reliable to\nmeet our audit objectives and intended use of the data. We determined that our use of\nthis data should not lead to an incorrect or unintentional message. We conducted our\nreview in accordance with generally accepted government auditing standards.\n\n\n\n\nFollow-up Systems Security Violations Audit (A-14-07-17102)                        C-2\n\x0c                                                                            Appendix D\nSanction Cases Reviewed for Fiscal Year 2006\nSystems Security Violations\n                                                 Cases OIG Received\n    Social Security\n    Administration                                    Offenses\n    Region\\ Offices\n\n                               Cat. I    Cat. IIA    Cat. IIB    Cat. III    Total\n\n5 Regions\n\n\n  New York                      14           2          6           0         22\n\n\n  Philadelphia                  13           9          1           0         23\n\n\n  Atlanta                       19           5          2           1         27\n\n\n  Dallas                         8           1          0           1         10\n\n\n  San Francisco                 13           3          1           0         17\n\n\nHeadquarters\n\n\nOffice of Central\nOperations                       4           0          1           0          5\n\n\nOffice of Disability\nAdjudication and\nReview                           2           0          1           1          4\n\n\n Total                          73          20          12          3         108\n\n\n\n\nFollow-up Systems Security Violations Audit (A-14-07-17102)\n\x0c                                                                        Appendix E\nComparison of Systems Access, Transactions, and\nSecurity Violations for Fiscal Year 2006\n                                                                          Number of\n                                   Number of              Number of        Systems\n     Social Security             Employees with          Query CIRP        Security\n  Administration Offices         Systems Access         Transactions*     Violations\n\nOffice Of Operations                   65,159             12,984,139          128\n\nOffice of Systems                       8,334                  4,196            0\n\nOffice of Disability                    7,876                 14,831            4\nAdjudication and Review\n\nOffice of Quality                       1,306                 113,395           0\nP f\nOffice of Budget Finance                 963                   1,467            0\nand Management\n\nOffice of Disability and                 837                   9,896            0\nIncome Security Programs\n\nOffice of the Inspector                  621                  312,418           0\n\nOffice of General Counsel                571                   2,967            0\n\nCenter for Medicare and                  505                   1,358            0\nMedicaid Services\n\nOffice Human Resources                   412                   3,157            0\n\nOffice of Communications                 177                  11,910            0\n\nOffice of Policy                         128                   192              0\n\nOffice of Legislation and                53                    314              0\n\nOffice of Actuary                   53               1,667                      0\n      *CIRP \xe2\x80\x93 Comprehensive Integrity Review Process.\n\nThis chart shows that the Office of Operations is reporting the majority of violations and\nalso has the most staff with the most mainframe access. The Office of Disability\nAdjudication and Review was the only other office that reported system security\nviolations.\n\nFollow-up Systems Security Violations Audit (A-14-07-17102)\n\x0c                                                              Appendix F\n\nAgency Comments\n\n\n\n\nFollow-up Systems Security Violations Audit (A-14-07-17102)\n\x0cMEMORANDUM\n\n\nDate:      October 4, 2007                                                 Refer To:   S1J-3\n\nTo:        Patrick P. O'Carroll, Jr.\n           Inspector General\n\nFrom:      Larry W. Dye /s/\n\nSubject:   Office of the Inspector General (OIG) Recommendation Reconsideration Letter,\n           \xe2\x80\x9cFollow-up on the Social Security Administration\xe2\x80\x99s Monitoring of Potential Employee\n           Systems Security Violations\xe2\x80\x9d (A-14-07-17102)\xe2\x80\x94INFORMATION\n\n\n           In response to your September 12, 2007 request to reconsider our response to\n           recommendation 4, we now agree based on the revised language you provided for that\n           recommendation. The attached response to recommendation 4 now reflects that we\n           agree, while the response to recommendations 1 through 3 remains unchanged.\n\n           Please let me know if we can be of further assistance. Staff inquiries may be directed to\n           Ms. Candace Skurnik, Director, Audit Management and Liaison Staff, at extension\n           54636.\n\n           Attachment:\n           SSA Response\n\n\n\n\n           Follow-up Systems Security Violations Audit (A-14-07-17102)                           F-1\n\x0cCOMMENTS ON THE OFFICE OF THE INSPECTOR GENERAL (OIG) DRAFT\nREPORT, \xe2\x80\x9cFOLLOW-UP ON THE SOCIAL SECURITY ADMINISTRATION\xe2\x80\x99S\nMONITORING OF POTENTIAL EMPLOYEE SYSTEMS SECURITY VIOLATIONS \xe2\x80\x9d\n(A-14-07-17102)\n\nThank you for the opportunity to review and comment on the draft report. We appreciate your\nconducting this follow-up audit of the Social Security Administration\xe2\x80\x99s (SSA) monitoring of\npotential employee systems security violations. Our responses to the specific recommendations\nare provided below.\n\nRecommendation 1\n\nContinue to send electronic or written reminders concerning retention of supporting\ndocumentation for systems security violations according to SSA\xe2\x80\x99s policy.\n\nComment\n\nWe agree. We have provided reminders in the past and will continue to send written and\nelectronic reminders to management about the need to retain supporting documentation regarding\nsystems security violations. In September 2007, we issued a reminder to managers to retain\nsupporting documentation for systems security violations development.\n\nRecommendation 2\n\nImplement a pilot where OIG is provided all employee potential misuse and potential fraud\nsystems security violations for two headquarters components and one regional office for 6\nmonths.\n\nComment\n\nWe partially agree. We still do not believe there is any value in providing information on cases\nof misuse in which fraud is not involved. We will, however, work with OIG to develop a process\nto submit information on all potential misuse cases for one region and two headquarters\ncomponents for a six month period.\n\nRecommendation 3\n\nProvide OIG with all potential misuse or potential fraud employee systems security violations, as\nidentified by SSA managers as needing further investigation, to assess the information for\npotential criminal activity.\n\nComment\n\nWe partially agree. As in the past, we will continue to refer all Category III violations to OIG via\nthe electronic 8551 fraud reporting form. We will continue to refer other category violations\nwhere fraud or possible criminal activity exists. This includes violations discovered through the\nFollow-up Systems Security Violations Audit (A-14-07-17102)                                      F-2\n\x0cComprehensive Integrity Review Process. As stated in our response to recommendation 2, we do\nnot see value in referring all potential violations to OIG as the vast majority of these do not\ninvolve fraud, criminal intent or criminal activity.\n\nRecommendation 4\n\nEvaluate and modify procedures to ensure all employee violations of the Automated Information\nResources Rules of Behavior are appropriately detected, reported, documented and resolved\nacross the organization.\n\nComment\n\nWe agree. We already have policies in place to address violations. Our records show that when\nwe detect violations, we have taken the appropriate disciplinary measures, documented our\nactions and reported the violations to OIG when warranted. We investigate violations and\npotential misuse, and if fraud is suspected, we refer the cases to OIG. Sanctions for\nUnauthorized Systems Access Violations (Sanctions) policies are applied when appropriate.\nHowever, not all failures to comply with the Rules of Behavior fall under Sanctions policies and\nwhen appropriate progressive discipline is applied instead of the sanction policies. We believe\nprogressive discipline is the appropriate manner to address the types of activities provided as\nexamples in the audit report and do not believe that they should be included in the systems\nSanctions policy. Penalties under progressive discipline may be as severe as penalties imposed\nunder Sanctions policies.\n\n\n\n\nFollow-up Systems Security Violations Audit (A-14-07-17102)                                   F-3\n\x0c                                                                     Appendix G\n\nOIG Contacts and Staff Acknowledgments\nOIG Contacts\n\n   Kitt Winter, Director, Data Analysis and Technical Audit Division, (410) 965-9702\n\n   Phil Rogofsky, Audit Manager, Network Security and Telecommunications Branch,\n   (410) 965-9719\n\nAcknowledgments\n\nIn addition to those named above:\n\n   Mary Ellen Moyer, Senior Program Analyst\n   Deborah Kinsey, Senior Auditor\nFor additional copies of this report, please visit our web site at\nwww.socialsecurity.gov/oig or contact the Office of the Inspector General\xe2\x80\x99s Public\nAffairs Specialist at (410) 965-3218. Refer to Common Identification Number\nA-14-07-17102.\n\x0c                           DISTRIBUTION SCHEDULE\n\nCommissioner of Social Security\nOffice of Management and Budget, Income Maintenance Branch\nChairman and Ranking Member, Committee on Ways and Means\nChief of Staff, Committee on Ways and Means\nChairman and Ranking Minority Member, Subcommittee on Social Security\nMajority and Minority Staff Director, Subcommittee on Social Security\nChairman and Ranking Minority Member, Subcommittee on Human Resources\nChairman and Ranking Minority Member, Committee on Budget, House of\nRepresentatives\nChairman and Ranking Minority Member, Committee on Government Reform and\nOversight\nChairman and Ranking Minority Member, Committee on Governmental Affairs\nChairman and Ranking Minority Member, Committee on Appropriations, House of\nRepresentatives\nChairman and Ranking Minority, Subcommittee on Labor, Health and Human Services,\nEducation and Related Agencies, Committee on Appropriations,\n House of Representatives\nChairman and Ranking Minority Member, Committee on Appropriations, U.S. Senate\nChairman and Ranking Minority Member, Subcommittee on Labor, Health and Human\nServices, Education and Related Agencies, Committee on Appropriations, U.S. Senate\nChairman and Ranking Minority Member, Committee on Finance\nChairman and Ranking Minority Member, Subcommittee on Social Security and Family\nPolicy\nChairman and Ranking Minority Member, Senate Special Committee on Aging\nSocial Security Advisory Board\n\x0c               Overview of the Office of the Inspector General\nThe Office of the Inspector General (OIG) is comprised of our Office of Investigations (OI),\nOffice of Audit (OA), Office of the Chief Counsel to the Inspector General (OCCIG), and Office\nof Resource Management (ORM). To ensure compliance with policies and procedures, internal\ncontrols, and professional standards, we also have a comprehensive Professional Responsibility\nand Quality Assurance program.\n                                         Office of Audit\nOA conducts and/or supervises financial and performance audits of the Social Security\nAdministration\xe2\x80\x99s (SSA) programs and operations and makes recommendations to ensure program\nobjectives are achieved effectively and efficiently. Financial audits assess whether SSA\xe2\x80\x99s\nfinancial statements fairly present SSA\xe2\x80\x99s financial position, results of operations, and cash flow.\nPerformance audits review the economy, efficiency, and effectiveness of SSA\xe2\x80\x99s programs and\noperations. OA also conducts short-term management and program evaluations and projects on\nissues of concern to SSA, Congress, and the general public.\n\n\n                                    Office of Investigations\nOI conducts and coordinates investigative activity related to fraud, waste, abuse, and\nmismanagement in SSA programs and operations. This includes wrongdoing by applicants,\nbeneficiaries, contractors, third parties, or SSA employees performing their official duties. This\noffice serves as OIG liaison to the Department of Justice on all matters relating to the\ninvestigations of SSA programs and personnel. OI also conducts joint investigations with other\nFederal, State, and local law enforcement agencies.\n\n\n                   Office of the Chief Counsel to the Inspector General\nOCCIG provides independent legal advice and counsel to the IG on various matters, including\nstatutes, regulations, legislation, and policy directives. OCCIG also advises the IG on\ninvestigative procedures and techniques, as well as on legal implications and conclusions to be\ndrawn from audit and investigative material. Finally, OCCIG administers the Civil Monetary\nPenalty program.\n                              Office of Resource Management\nORM supports OIG by providing information resource management and systems security. ORM\nalso coordinates OIG\xe2\x80\x99s budget, procurement, telecommunications, facilities, and human\nresources. In addition, ORM is the focal point for OIG\xe2\x80\x99s strategic planning function and the\ndevelopment and implementation of performance measures required by the Government\nPerformance and Results Act of 1993.\n\x0c"